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Abstract 


scan _winpref etch  is  a  C++  and  thread-safe  Windows  prefeteh  seanner  for  the  bulk. extractor 
framework  that  deeodes  prefeteh  files.  The  deeoder  analyzes  disk  images  for  Windows 
prefeteh  files.  Af  fhe  eomplefion  of  analyzing  eaeh  prefeleh  file  found  on  fhe  disk  image,  a 
fexf  file  is  ereafed  eonfaining  a  XML  oufpuf  defailing  all  found  prefeleh  files. 


1  Introduction 

Prefeleh  files  are  files  ereafed  by  fhe  Mierosofl  Windows  operaling  system  lhal  eonlains,  for  eaeh  appli- 
ealion  run,  fhe  name  of  fhe  appliealion,  fhe  DLLs  and  direelories  used,  appliealion  Iasi  run  lime,  fhe  lolal 
number  of  limes  lhal  fhe  appliealion  has  been  run,  and  fhe  lime  lhal  Ihe  prefeteh  file  ilself  was  ereafed  [1]. 

Despite  Ihe  usefulness  of  Ibis  informalion  for  forensie  examinalion,  and  despite  supporl  for  deeoding  Ihe 
prefeteh  file  formal  in  fools  sueh  as  Guidanee  Software’s  Enease,  Ihe  analysis  of  Windows  Prefeteh  files 
is  slill  a  relalively  rare  oeeurrenee  for  many  eompuler  forensies  examinations. 

Prefeteh  analysis  may  be  relatively  uneommon  beeause  the  Windows  operating  system  prunes  the  files 
in  fhe  7„SYSTEMROOT°/o\Pref  etch  direelory  when  fhe  direelory  beeomes  loo  large.  The  direelory  enlries 
are  Ihen  soon  re-alloealed  lo  olher  prefeleh  files.  Thus,  many  of  Ihe  mosl  useful  Windows  prefeteh  files 
on  a  lypieal  hard  drive  under  examination  will  be  found  not  in  the  yoSYSTEMROOT7o\Pref  etch  directory, 
but  in  unallocated  space  on  the  hard  drive,  where  they  can  only  be  found  through  file  carving. 

scan .winpref etch  is  a  C++  and  Ihread-safe  Windows  prefeleh  scanner  for  fhe  bulk. extractor  framework 
lhal  locates  prefeteh  files  in  bulk  dala  and  decodes  Iheir  conlenls.  The  scanner  creates  a  block  of  XML 
eonfaining  fhe  decoded  conlenls  for  each  prefeteh  file  found,  and  stores  Ihis  XML  in  Ihe  bulk. extractor 
fealure  file. 

Windows  prefeleh  files  have  an  abundanl  amounl  of  informalion  lhal  can  help  in  answering  questions  of 
indenl  and  suspicious  behaviors  of  an  application.  Bui  mosl  prefeteh  analyzers  only  operate  on  files.  By 
creating  a  prefeteh  decoder  for  bulk. extractor,  Ihe  scanner  combines  file  carving  wilh  prefeteh  decoding, 
potentially  giving  Ihe  examiner  access  to  significanlly  more  information. 

Currenlly  mosl  analysis  lhal  is  performed  on  prefeteh  files  is  a  first-order  analysis  where  Ihe  files  are 
examined  for  plain  value  of  Ihe  information  lhal  Ihey  conlain.  By  oulpulling  Ihe  conlenls  of  Ihe  decoded 
prefeteh  file  in  XML,  Ihe  prefeteh  scanner  also  makes  il  easier  to  develop  automated  processing  routines 
lhal  perform  second-order  forensic  analysis — for  example,  correlation  belween  Ihe  conlenls  of  differenl 
prefeteh  files  on  Ihe  same  disk,  or  on  differenl  disks. 

By  combining  Ihe  prefeteh  scanner  wilh  bulk.extractor.  Ibis  projecl  enables  systematic  examination  of 
prefeteh  files  to  become  a  slandard  pari  of  all  forensic  examinations,  wilh  no  additional  time  expended  on 
Ihe  pari  of  Ihe  examiner.  The  prefeleh  scanner  imposes  minimal  overhead  on  bulk. extractor’s  processing 
time. 
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2  Background  and  Related  Work 

2.1  bulkjextractor 

Prefetch  related  research  has  not  been  wide  spread  since  its  introduction  in  Windows  XP.  As  this  feature 
continues  to  be  unnoticed,  the  forensic  benefit  is  not  being  used.  There  have  been  multiple  discussions 
about  prefetch  files  on  blogs  and  news  arficles. 

Windows  XP  infroduced  fhe  mefhodology  of  pre-felching  pages  and  files  for  sfarfup  applications  [5].  Pre- 
felching  improves  fhe  sfarf-up  (booling)  process  of  an  applicalion  by  prefelching  fhe  necessary  files  and 
loading  fhem  info  memory  for  use.  Applicafions  in  fhe  Windows  Operafing  sysfem  since  XP  will  create 
a  prefelch  file  locafed  in  %SYSTEMROOT%\Prefeteh.  Naming  convenfion  of  fhe  file  is  (progname)- 
(hash).pf.  The  file  will  only  be  creafed  during  fhe  inifial  run  of  an  applicalion.  The  number  of  files 
crealed  can  be  up  lo  128  files  [4].  In  fhe  file  name,  fhe  hash  value  represenls  fhe  localion  of  where  fhe 
application  was  run.  The  hash  algorilhm  was  researched  by  Kharli  [11].  The  prefelch  file  conlains  fhe 
name  of  fhe  applicalion,  fhe  DLLs  and  directories  used,  Iasi  run  lime,  fhe  number  of  limes  an  application 
was  run  and  creation  lime  [1].  Morrison  describes  fhe  Windows  “Prefelcher,”  fhe  program  lhal  creales 
prefelch  files  [6]. 

Wade  discussed  fhe  forensic  value  of  prefelch  files.  In  addition,  he  discussed  fhe  properlies  of  fhe 
prefelch,  whaf  arlifacls  can  be  used  and  several  Ihird  parly  tools  lhal  he  used  to  analyze  if  [1]. 

Kornblum  presented  information  aboul  Ihe  Windows  Visla  super  prefelch  file  al  Ihe  2008  DoD  Cyber 
Crime  Conference  [4]. 

Garlinkel  infroduced  a  mulli-lhreaded  bulk  dala  analysis  tool,  bulkjextractor,  lhal  can  exlracl  forensic 
evidences  more  quickly  surpassing  Guidance  Software’s  EnCase  exlraclion  speed  [8].  He  proposed  lhal 
existing  tools  do  nol  completely  analyze  disk  images  and  may  overlook  valuable  digilal  arlifacls. 

3  scan  winpref etch 

The  scanner  is  pari  of  Ihe  bulkjextractor  framework  as  a  scanner.  The  scanner  receives  dala  in  a  sbuf  and 
reporls  ils  findings  using  the.  feature  .recorder  system. 

The  firsl  step  of  Ihe  scanner  is  to  look  for  Ihe  signalure  of  bytes  lhal  indicates  Ihe  slarl  of  a  prefelch  file. 
The  prefelch  file  signalure  is  an  eighl  byte  value.  In  Windows  XP,  Visla  and  7,  Ihe  signalure  is  differenl 
by  a  single  byte.  On  Windows  XP,  Ihe  signalure  has  Ihe  firsl  byte  to  be  0x11  (17  in  decimal)  (figure  1). 
On  Windows  Visla  and  Windows  7,  Ihe  0x1 1  is  replaced  by  0x17  (23  in  decimal)  (figure  2). 

Once  a  header  is  found,  Ihe  scanner  creates  a  C++  objecl  lhal  conlains  a  reference  to  Ihe  prefelch  file’s 
slarl  in  Ihe  bulk  dala.  The  objecl  conlains  inslance  melhods  lhal  decode  and  relurn  on-lhe-lly  olher 
information  wilhin  Ihe  prefelch  file,  including  Ihe  Iasi  run  lime,  position  of  DLLs  and  directories,  end  of 
file  offsel,  elc.  The  scanner  is  designed  so  lhal  allempls  to  reference  memory  oulside  Ihe  buffer  resull  in 
a  relurn  value  of  “0.”  This  would  happen  if  Ihe  prefelch  file  is  Iruncaled  or  corrupt 

00000000  11  00  00  00  53  43  43  41  Of  00  00  00  3e  a3  01  00  |  _ SCCA _ >. . . | 

Figure  1:  Windows  XP  prefetch  file  signature 

The  scanner  automatically  decodes  the  filenames  from  the  UTL-16  encoding  stored  in  prefetch  files  and 
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00000000  17  00  00  00  53  43  43  41  11  00  00  00  3a  2a  05  00  |  _ SCCA _ | 


Figure  2:  Windows  7  prefetch  file  signature 


re-encodes  the  filenames  as  UTF-8  whieh  is  stored  in  the  feature  tile.  Charaeters  that  would  result  in  an 
invalid  Unieode  eoding  are  ignored,  as  they  are  usually  the  result  of  eorruption  in  the  disk  image.  Times 
are  presented  in  ISO  8601  format. 

In  typieal  use,  multiple  prefeteh  files  are  found,  and  they  are  all  reeorded  in  the  single  winprefetch.txt 
feature  file.  The  features  are  eneoded  using  a  set  of  Digital  Forensies  XML  tags  that  represent  feature 
file  artifaets  [2]. 

4  Results 

A  prefeteh  tile  may  have  many  DLLs  and  direetories  assoeiated  to  it.  The  number  of  DLLs  and  diree- 
tories  used  depends  on  the  applieations  startup  proeess.  Figure  3  is  a  sample  of  the  XML  produeed  by 
scanjwinprefetch.  The  XML  has  been  pretty-printed  for  ease  of  viewing. 

Eaeh  individual  prefeteh  file  is  enelosed  in  <pref  etchx/pref  etch>  tag.  Within  the  <prefetch> 
tag,  different  tags  are  used  for  eaeh  extraetion.  The  four  sub-levels  are  header,  volume,  filenames,  and 
dirnames. 

The  <header>  seetion  deseribes  the  possible  operating  system  the  prefeteh  eame  from,  the  prefeteh  file 
header  size,  the  applieations  name,  the  number  of  times  the  applieation  was  run  and  when  it  was  last 
aeeessed. 

The  <volume>  tag  presents  the  serial  number  and  name  of  the  deviee  from  whieh  the  program  was  run. 
The  aeeuraey  of  the  serial  number  was  eonfirmed  through  experiments. 

The  <f  ilenames>  and  <dirnaines>  seetions  are  the  list  of  DLLs  and  direetories  used  by  the  applieation 
during  the  startup  proeess. 

4.1  Limitations 

scanjwinprefetch  must  address  the  possibility  of  eorrupted  or  missing  data.  The  seanner  is  will  eontinu- 
ously  proeess  the  entire  area  that  eontains  a  prefeteh  file  signature.  Several  bytes  or  the  entire  seetion  may 
have  been  overwritten,  thus  removing  the  possibility  of  extraeting  useful  information.  Onee  the  seanner 
is  eompleted,  winprefetch.txt  will  eontain  the  extraeted  data  displayed,  but  this  may  inelude  some  eor¬ 
rupted  data,  (scan  jwinpref etch  eontains  logie  to  deteet  and  suppress  some  kinds  of  eorruption.)  At  the 
point  that  eorruption  is  deteeted,  the  seanner  stops  proeessing  the  eurrent  prefeteh  file  and  starts  seanning 
for  the  next. 

5  Conclusion  and  Future  Work 

Prefeteh  files  will  eontinue  to  be  used  by  Windows  operating  system  and  forensie  examiners.  The  sean¬ 
ner,  scan  jwinpref etch,  provides  bulk. extractor  the  additional  ability  to  find  prefeteh  files  and  extraet 
artifaets  relatively  quiekly.  The  artifaets  from  prefeteh  files  ean  provide  the  examiner  with  answers  to 
when,  what  and  where. 
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<pref etch> 

<header> 

<os>Windows  Vista  or  Windows  7</os> 

<header_size>240</header_size> 

<f  ilenaine>IEXPLORE .  EXE</f  ilename> 

<runs>53</runs> 

<atime>20 11-02-07X13 : 03 : 24</atime> 

</header> 

<volume> 

<path>\DEVICE\HARDDISKVOLUMEl</path> 

<serial_number>b46f 6927</ serial_number> 

</volume> 

<creation>2010-08-18T06 : 13 : 10</ creation> 

<f ilenames> 

<file>\DEVICE\HARDDISKV0LUMEl\WIND0WS\SYSTEM32\NTDLL.DLL</file> 
<file>\DEVICE\HARDDISKV0LUMEl\WIND0WS\SYSTEM32\KERNEL32.DLL</file> 
</f ilenames> 

<dirnames> 

<dir>\DEVICE\HARDDISKVOLUMEl\PRDGRAM  FILES</dir> 
<dir>\DEVICE\HARDDISKVOLUMEl\PRDGRAM  FILES\C0MMDN  FILES</dir> 
<dir>\DEVICE\HARDDISKVOLUMEl\PRDGRAM  FILES\ JAVA</dir> 
<dir>\DEVICE\HARDDISKVOLUMEl\PRDGRAM  FILES\ JAVA\ JRE6</dir> 
</dirnames> 

</pref etch> 


Figure  3:  Pretty-printed  XML  output  ofwinprefetch.txt 


The  winprefetch.txt  file  ereated  by  the  seanner  ean  be  analyzed  with  automated  tools  or  ean  be  reviewed 
manually  by  the  examiner  using  simple  eommands  like  Notepad.exe  and  grep.  The  eontent  of  the  prefeteh 
files  ean  help  differentiate  between  malieious  applieations,  hidden  applieations,  and  trusted  applieations. 

The  prefeteh  scanner  described  here  can  be  extended  to  process  Superfetch  files.  Although  they  are  in 
the  same  directory  as  the  prefetch  files,  they  have  a  different  file  format.  Currently  there  is  little  use,  little 
to  no  known  information  about  superfetch  and  its  forensic  value.  The  behavior  was  briefly  described  by 
Microsft  to  create  a  profile  of  the  users’  application’s  activity  which  includes  the  days  and  times  the  user 
runs  them  [10].  Prefetch  provides  the  forensic  examiner  of  when  an  application  was  last  used  and  how 
many  times.  The  superfetch  will  provide  a  more  fine  grained  activity  timeline  of  an  application  and  when 
the  application  is  most  often  used.  Windows  Vista  and  Windows  7  creates  both  prefetch  and  Superfetch 
files. 
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